chore(deps): update kubezero-storage-dependencies

2025-03-19 03:02:17 +00:00
35 changed files with 257 additions and 357 deletions
--- a/5
+++ b/5
@ -6,8 +6,8 @@ ARG ALPINE_VERSION
 ARG KUBE_VERSION=1.31

 ARG SOPS_VERSION="3.9.4"
-ARG VALS_VERSION="0.39.4"
-ARG HELM_SECRETS_VERSION="4.6.3"
+ARG VALS_VERSION="0.39.1"
+ARG HELM_SECRETS_VERSION="4.6.2"

 RUN cd /etc/apk/keys && \
    wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \
@ -24,7 +24,6 @@ RUN cd /etc/apk/keys && \
      py3-yaml \
      restic \
      helm \
-      apache2-utils \
      ytt@testing \
      etcd-ctl@edge-community \
      cri-tools@kubezero \
--- a/admin/cluster_bootstrap.sh
+++ b/admin/cluster_bootstrap.sh
@ -1,44 +0,0 @@
-#!/bin/bash
-set -eEx
-set -o pipefail
-set -x
-
-VALUES=$1
-
-WORKDIR=$(mktemp -p /tmp -d kubezero.XXX)
-[ -z "$DEBUG" ] && trap 'rm -rf $WORKDIR' ERR EXIT
-
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-# shellcheck disable=SC1091
-. "$SCRIPT_DIR"/libhelm.sh
-CHARTS="$(dirname $SCRIPT_DIR)/charts"
-
-KUBE_VERSION="$(get_kube_version)"
-PLATFORM="$(get_kubezero_platform)"
-
-if [ -z "$KUBE_VERSION" ]; then
-  echo "Cannot contact cluster, cannot parse version!"
-  exit 1
-fi
-
-
-# Upload values into kubezero-values
-kubectl create ns kubezero || true
-kubectl create cm -n kubezero kubezero-values \
-    --from-file values.yaml=$VALUES || \
-    kubectl get cm -n kubezero kubezero-values -o=yaml | \
-    yq e ".data.\"values.yaml\" |= load_str($1)" | \
-    kubectl replace -f -
-
-### Main
-get_kubezero_values $ARGOCD
-
-# Always use embedded kubezero chart
-helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --name-template kubezero --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
-
-ARTIFACTS=(network addons cert-manager storage argo)
-
-for t in ${ARTIFACTS[@]}; do
-  _helm crds $t || true
-  _helm apply $t || true
-done
--- a/admin/dev_apply.sh
+++ b/admin/dev_apply.sh
@ -9,23 +9,34 @@ ARGOCD="${3:-true}"

 LOCAL_DEV=1

+#VERSION="latest"
+KUBE_VERSION="$(kubectl version -o json | jq -r .serverVersion.gitVersion)"
+
 WORKDIR=$(mktemp -p /tmp -d kubezero.XXX)
 [ -z "$DEBUG" ] && trap 'rm -rf $WORKDIR' ERR EXIT

 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-
 # shellcheck disable=SC1091
 . "$SCRIPT_DIR"/libhelm.sh
 CHARTS="$(dirname $SCRIPT_DIR)/charts"

-KUBE_VERSION="$(get_kube_version)"
-PLATFORM="$(get_kubezero_platform)"
-
-if [ -z "$KUBE_VERSION" ]; then
-  echo "Cannot contact cluster, cannot parse version!"
-  exit 1
+# Guess platform from current context
+_auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
+if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
+  PLATFORM=gke
+elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
+  PLATFORM=aws
+else
+  PLATFORM=nocloud
 fi

+parse_version() {
+  echo $([[ $1 =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
+}
+
+KUBE_VERSION=$(parse_version $KUBE_VERSION)
+
+
 ### Main
 get_kubezero_values $ARGOCD

@ -34,7 +45,6 @@ helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $

 # Root KubeZero apply directly and exit
 if [ ${ARTIFACTS[0]} == "kubezero" ]; then
-  [ -f $CHARTS/kubezero/hooks.d/pre-install.sh ] && . $CHARTS/kubezero/hooks.d/pre-install.sh
  kubectl replace -f $WORKDIR/kubezero/templates $(field_manager $ARGOCD)
  exit $?

--- a/admin/hooks-1.31.sh
+++ b/admin/hooks-1.31.sh
@ -14,12 +14,7 @@ pre_control_plane_upgrade_cluster() {

 # All things after the first controller / control plane upgrade
 post_control_plane_upgrade_cluster() {
-  # delete previous root app controlled by kubezero module
-  kubectl delete application kubezero-git-sync -n argocd || true
-
-  # Patch appproject to keep SyncWindow in place
-  kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/labels"}]' || true
-  kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/annotations"}]' || true
+  echo
 }


--- a/admin/kubezero.sh
+++ b/admin/kubezero.sh
@ -320,7 +320,7 @@ apply_module() {
  get_kubezero_values $ARGOCD

  # Always use embedded kubezero chart
-  helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --name-template kubezero --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
+  helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --version ~$KUBE_VERSION --devel --output-dir $WORKDIR

  # CRDs first
  for t in $MODULES; do
@ -330,7 +330,6 @@ apply_module() {
  for t in $MODULES; do
    # apply/replace app of apps directly
    if [ $t == "kubezero" ]; then
-      [ -f $CHARTS/kubezero/hooks.d/pre-install.sh ] && . $CHARTS/kubezero/hooks.d/pre-install.sh
      kubectl replace -f $WORKDIR/kubezero/templates $(field_manager $ARGOCD)
    else
      #_helm apply $t
--- a/admin/libhelm.sh
+++ b/admin/libhelm.sh
@ -44,40 +44,10 @@ function field_manager() {
 }


-function get_kube_version() {
-  local git_version="$(kubectl version -o json | jq -r .serverVersion.gitVersion)"
-  echo $([[ $git_version =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
-}
-
-
-function get_kubezero_platform() {
-  _auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
-  if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
-    PLATFORM=gke
-  elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
-    PLATFORM=aws
-  else
-    PLATFORM=nocloud
-  fi
-  echo $PLATFORM
-}
-
-
-function get_secret_val() {
-  local ns=$1
-  local secret=$2
-  local val=$(kubectl get secret -n $ns $secret -o yaml | yq ".data.\"$3\"")
-
-  if [ "$val" != "null" ]; then
-    echo -n $val | base64 -d -w0
-  else
-    echo ""
-  fi
-}
-
-
 function get_kubezero_secret() {
-  get_secret_val kubezero kubezero-secrets "$1"
+  export _key="$1"
+
+  kubectl get secrets -n kubezero kubezero-secrets -o yaml | yq '.data.[env(_key)]' | base64 -d -w0
 }


@ -85,9 +55,7 @@ function set_kubezero_secret() {
  local key="$1"
  local val="$2"

-  if [ -n "$val" ]; then
-    kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"$(echo -n "$val" |base64 -w0)\" }}"
-  fi
+  kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"$(echo -n $val |base64 -w0)\" }}"
 }


@ -110,7 +78,6 @@ function update_kubezero_cm() {
    kubectl replace -f -
 }

-
 # sync kubezero-values CM from ArgoCD app
 function sync_kubezero_cm_from_argo() {
  get_kubezero_values true
@ -173,7 +140,7 @@ function delete_ns() {

 # Extract crds via helm calls
 function crds() {
-  helm template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --include-crds -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION $@ | python3 -c '
+  helm secrets --evaluate-templates template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --include-crds -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION $@ | python3 -c '
 #!/usr/bin/python3
 import yaml
 import sys
@ -245,7 +212,7 @@ function _helm() {

  if [ $action == "crds" ]; then
    # Pre-crd hook
-    [ -f $WORKDIR/$chart/hooks.d/pre-crds.sh ] && . $WORKDIR/$chart/hooks.d/pre-crds.sh
+    [ -f $WORKDIR/$chart/hooks.d/pre-crds.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/pre-crds.sh)

    crds

@ -257,7 +224,7 @@ function _helm() {
    create_ns $namespace

    # Optional pre hook
-    [ -f $WORKDIR/$chart/hooks.d/pre-install.sh ] && . $WORKDIR/$chart/hooks.d/pre-install.sh
+    [ -f $WORKDIR/$chart/hooks.d/pre-install.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/pre-install.sh)

    render
    [ $action == "replace" ] && kubectl replace -f $WORKDIR/helm.yaml $(field_manager $ARGOCD) && rc=$? || rc=$?
@ -266,7 +233,7 @@ function _helm() {
    [ $action == "apply" -o $rc -ne 0 ] && kubectl apply -f $WORKDIR/helm.yaml --server-side --force-conflicts $(field_manager $ARGOCD) && rc=$? || rc=$?

    # Optional post hook
-    [ -f $WORKDIR/$chart/hooks.d/post-install.sh ] && . $WORKDIR/$chart/hooks.d/post-install.sh
+    [ -f $WORKDIR/$chart/hooks.d/post-install.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/post-install.sh)

  elif [ $action == "delete" ]; then
    render
@ -279,7 +246,6 @@ function _helm() {
  return 0
 }

-
 function all_nodes_upgrade() {
  CMD="$1"

--- a/admin/upgrade_cluster.sh
+++ b/admin/upgrade_cluster.sh
@ -20,13 +20,13 @@ echo "Checking that all pods in kube-system are running ..."
 [ "$ARGOCD" == "true" ] && disable_argo

 # Check if we already have all controllers on the current version
-#OLD_CONTROLLERS=$(kubectl get nodes -l "node-role.kubernetes.io/control-plane=" --no-headers=true | grep -cv $KUBE_VERSION || true)
+OLD_CONTROLLERS=$(kubectl get nodes -l "node-role.kubernetes.io/control-plane=" --no-headers=true | grep -cv $KUBE_VERSION || true)

+# All controllers already on current version
 if [ "$OLD_CONTROLLERS" == "0" ]; then
-  # All controllers already on current version
  control_plane_upgrade finalize_cluster_upgrade
+# Otherwise run control plane upgrade
 else
-  # Otherwise run control plane upgrade
  control_plane_upgrade kubeadm_upgrade
 fi

@ -38,7 +38,7 @@ read -r
 #[ "$ARGOCD" == "true" ] && kubectl edit app kubezero -n argocd || kubectl edit cm kubezero-values -n kubezero

 # upgrade modules
-control_plane_upgrade "apply_kubezero, apply_network, apply_addons, apply_storage, apply_operators"
+control_plane_upgrade "apply_network, apply_addons, apply_storage, apply_operators"

 echo "Checking that all pods in kube-system are running ..."
 waitSystemPodsRunning
@ -47,9 +47,6 @@ echo "Applying remaining KubeZero modules..."

 control_plane_upgrade "apply_cert-manager, apply_istio, apply_istio-ingress, apply_istio-private-ingress, apply_logging, apply_metrics, apply_telemetry, apply_argo"

-# we replace the project during v1.31 so disable again
-[ "$ARGOCD" == "true" ] && disable_argo
-
 # Final step is to commit the new argocd kubezero app
 kubectl get app kubezero -n argocd -o yaml | yq 'del(.status) | del(.metadata) | del(.operation) | .metadata.name="kubezero" | .metadata.namespace="argocd"' | yq 'sort_keys(..)' > $ARGO_APP

--- a/charts/kubezero-argo/.helmignore
+++ b/charts/kubezero-argo/.helmignore
@ -25,4 +25,3 @@
 README.md.gotmpl
 dashboards.yaml
 jsonnet
-update.sh
--- a/charts/kubezero-argo/Chart.yaml
+++ b/charts/kubezero-argo/Chart.yaml
@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero Argo - Events, Workflow, CD
 name: kubezero-argo
-version: 0.3.2
+version: 0.3.0
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -18,15 +18,15 @@ dependencies:
    version: 0.2.1
    repository: https://cdn.zero-downtime.net/charts/
  - name: argo-events
-    version: 2.4.15
+    version: 2.4.13
    repository: https://argoproj.github.io/argo-helm
    condition: argo-events.enabled
  - name: argo-cd
-    version: 7.8.23
+    version: 7.8.9
    repository: https://argoproj.github.io/argo-helm
    condition: argo-cd.enabled
  - name: argocd-image-updater
-    version: 0.12.1
+    version: 0.12.0
    repository: https://argoproj.github.io/argo-helm
    condition: argocd-image-updater.enabled
 kubeVersion: ">= 1.30.0-0"
--- a/charts/kubezero-argo/README.md
+++ b/charts/kubezero-argo/README.md
@ -1,6 +1,6 @@
 # kubezero-argo

-![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square)
+![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square)

 KubeZero Argo - Events, Workflow, CD

@ -18,9 +18,9 @@ Kubernetes: `>= 1.30.0-0`

 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 7.8.23 |
-| https://argoproj.github.io/argo-helm | argo-events | 2.4.15 |
-| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.1 |
+| https://argoproj.github.io/argo-helm | argo-cd | 7.8.9 |
+| https://argoproj.github.io/argo-helm | argo-events | 2.4.13 |
+| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.0 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |

 ## Values
@ -42,7 +42,6 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.configs.params."controller.sync.timeout.seconds" | int | `1800` |  |
 | argo-cd.configs.params."server.enable.gzip" | bool | `true` |  |
 | argo-cd.configs.params."server.insecure" | bool | `true` |  |
-| argo-cd.configs.secret.argocdServerAdminPassword | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.adminPassword"` |  |
 | argo-cd.configs.secret.createSecret | bool | `false` |  |
 | argo-cd.configs.ssh.extraHosts | string | `"git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ=="` |  |
 | argo-cd.configs.styles | string | `".sidebar__logo img { content: url(https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png); }\n.sidebar__logo__text-logo { height: 0em; }\n.sidebar { background: linear-gradient(to bottom, #6A4D79, #493558, #2D1B30, #0D0711); }\n"` |  |
@ -54,21 +53,30 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
 | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
-| argo-cd.global.image.tag | string | `"v2.14.9"` |  |
+| argo-cd.global.image.tag | string | `"v2.14.5"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
 | argo-cd.global.networkPolicy.create | bool | `true` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
 | argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` |  |
 | argo-cd.istio.ipBlocks | list | `[]` |  |
-| argo-cd.kubezero.bootstrap | bool | `false` | deploy the KubeZero Project and GitSync Root App |
+| argo-cd.kubezero.bootstrap | bool | `false` |  |
 | argo-cd.kubezero.path | string | `"/"` |  |
-| argo-cd.kubezero.repoUrl | string | `""` |  |
-| argo-cd.kubezero.sshPrivateKey | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey"` |  |
+| argo-cd.kubezero.repoUrl | string | `"https://git.my.org/thiscluster"` |  |
 | argo-cd.kubezero.targetRevision | string | `"HEAD"` |  |
 | argo-cd.notifications.enabled | bool | `false` |  |
 | argo-cd.redisSecretInit.enabled | bool | `false` |  |
+| argo-cd.repoServer.clusterRoleRules.enabled | bool | `true` |  |
+| argo-cd.repoServer.clusterRoleRules.rules[0].apiGroups[0] | string | `""` |  |
+| argo-cd.repoServer.clusterRoleRules.rules[0].resources[0] | string | `"secrets"` |  |
+| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[0] | string | `"get"` |  |
+| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[1] | string | `"watch"` |  |
+| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[2] | string | `"list"` |  |
 | argo-cd.repoServer.metrics.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` |  |
+| argo-cd.repoServer.volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` |  |
+| argo-cd.repoServer.volumeMounts[0].name | string | `"kubeconfigs"` |  |
+| argo-cd.repoServer.volumes[0].emptyDir | object | `{}` |  |
+| argo-cd.repoServer.volumes[0].name | string | `"kubeconfigs"` |  |
 | argo-cd.server.metrics.enabled | bool | `false` |  |
 | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` |  |
 | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` |  |
--- a/charts/kubezero-argo/hooks.d/pre-install.sh
+++ b/charts/kubezero-argo/hooks.d/pre-install.sh
@ -1,23 +1,6 @@
-# Bootstrap kubezero-git-sync app only if it doesnt exist yet
-kubectl get application kubezero-git-sync -n argocd || \
-  yq -i '.argo-cd.kubezero.bootstrap=true' $WORKDIR/values.yaml
+#!/bin/sh

-# Ensure we have an adminPassword or migrate existing one
-PW=$(get_kubezero_secret argo-cd.adminPassword)
-if [ -z "$PW" ]; then
-  # Check for existing password in actual secret
-  NEW_PW=$(get_secret_val argocd argocd-secret "admin.password")
+# Bootstrap kubezero-git-sync app if it doenst exist
+kubectl get application kubezero-git-sync -n argocd && rc=$? || rc=$?

-  if [ -z "$NEW_PW" ];then
-    ARGO_PWD=$(date +%s | sha256sum | base64 | head -c 12 ; echo)
-    NEW_PW=$(htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/')
-
-    set_kubezero_secret argo-cd.adminPasswordClear $ARGO_PWD
-  fi
-
-  set_kubezero_secret argo-cd.adminPassword "$NEW_PW"
-fi
-
-# Redis secret
-kubectl get secret argocd-redis -n argocd || kubectl create secret generic argocd-redis -n argocd \
-    --from-literal=auth=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
+[ $rc != 0 ] && yq -i '.argo-cd.kubezero.bootstrap=true' values.yaml
--- a/charts/kubezero-argo/secrets.yaml
+++ b/charts/kubezero-argo/secrets.yaml
@ -0,0 +1,22 @@
+# KubeZero secrets
+#
+test: supergeheim
+secrets:
+  - name: argocd-secret
+    optional: false
+    data:
+      admin.password: test
+      admin.passwordMtime: now
+      server.secretkey: boohoo
+  - name: zero-downtime-gitea
+    optional: true
+    data:
+      name: zero-downtime-gitea
+      type: git
+      url: ssh://git@git.zero-downtime.net/quark/kube-grandnagus.git
+      sshPrivateKey: |
+        boohooKey
+      metadata:
+        labels:
+          argocd.argoproj.io/secret-type: repository
+
--- a/charts/kubezero-argo/templates/argo-cd/admin-secret.yaml
+++ b/charts/kubezero-argo/templates/argo-cd/admin-secret.yaml
@ -1,13 +0,0 @@
-{{- if index .Values "argo-cd" "enabled" }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: argocd-secret
-  namespace: argocd
-  labels:
-    {{- include "kubezero-lib.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  admin.password: {{ index .Values "argo-cd" "configs" "secret" "argocdServerAdminPassword" }}
-  admin.passwordMtime: "2006-01-02T15:04:05Z"
-{{- end }}
--- a/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml
+++ b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml
@ -1,11 +1,9 @@
-{{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }}
+{{- if index .Values "argo-cd" "kubezero" "bootstrap" }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kubezero-git-sync
  namespace: argocd
-  labels:
-    {{- include "kubezero-lib.labels" . | nindent 4 }}
  annotations:
    argocd.argoproj.io/sync-wave: "-20"
 spec:
--- a/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml
+++ b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml
@ -1,21 +0,0 @@
-{{- if index .Values "argo-cd" "kubezero" "repoUrl" }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: kubezero-git-sync
-  namespace: argocd
-  labels:
-    argocd.argoproj.io/secret-type: repository
-    {{- include "kubezero-lib.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  name: kubezero-git-sync
-  type: git
-  url: {{ index .Values "argo-cd" "kubezero" "repoUrl" }}
-  {{- if hasPrefix "https" (index .Values "argo-cd" "kubezero" "repoUrl") }}
-  username: {{ index .Values "argo-cd" "kubezero" "username" }}
-  password: {{ index .Values "argo-cd" "kubezero" "password" }}
-  {{- else }}
-  sshPrivateKey: {{ index .Values "argo-cd" "kubezero" "sshPrivateKey" }}
-  {{- end }}
-{{- end }}
--- a/charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml
+++ b/charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml
@ -1,11 +1,9 @@
-{{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }}
+{{- if index .Values "argo-cd" "kubezero" "bootstrap" }}
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
  name: kubezero
  namespace: argocd
-  labels:
-    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  clusterResourceWhitelist:
  - group: '*'
@ -17,10 +15,4 @@ spec:
  sourceRepos:
  - https://cdn.zero-downtime.net/charts
  - {{ index .Values "argo-cd" "kubezero" "repoUrl" }}
-  syncWindows:
-    - kind: deny
-      schedule: '0 * * * *'
-      duration: 24h
-      namespaces:
-      - '*'
 {{- end }}
--- a/charts/kubezero-argo/values.yaml
+++ b/charts/kubezero-argo/values.yaml
@ -38,7 +38,7 @@ argo-cd:
      format: json
    image:
      repository: public.ecr.aws/zero-downtime/zdt-argocd
-      tag: v2.14.9
+      tag: v2.14.5
    networkPolicy:
      create: true

@ -81,9 +81,10 @@ argo-cd:

    secret:
      createSecret: false
-
      # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/' | base64 -w0`
-      argocdServerAdminPassword: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.adminPassword
+      # argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG"
+      # argocdServerAdminPassword: "ref+file://secrets.yaml#/test"
+      # argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST"

    ssh:
      extraHosts: "git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ=="
@ -116,8 +117,14 @@ argo-cd:
      serviceMonitor:
        enabled: true

+    volumes:
+      - name: kubeconfigs
+        emptyDir: {}
+    volumeMounts:
+    - mountPath: /home/argocd/.kube
+      name: kubeconfigs
+
    # Allow vals to read internal secrets across all namespaces
-    # @ignored
    clusterRoleRules:
      enabled: true
      rules:
@ -125,34 +132,6 @@ argo-cd:
          resources: ["secrets"]
          verbs: ["get", "watch", "list"]

-    # cmp vals plugin
-    # @ignored
-    extraContainers:
-      - name: cmp-vals
-        image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}'
-        imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}'
-        command: ["/var/run/argocd/argocd-cmp-server"]
-        volumeMounts:
-          - mountPath: /var/run/argocd
-            name: var-files
-          - mountPath: /home/argocd/cmp-server/plugins
-            name: plugins
-          - mountPath: /tmp
-            name: cmp-tmp
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 999
-          allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
-          capabilities:
-            drop:
-            - ALL
-    volumes:
-      - name: cmp-tmp
-        emptyDir: {}
-
  server:
    # Rename former https port to grpc, works with istio + insecure
    service:
@ -184,16 +163,12 @@ argo-cd:
    ipBlocks: []

  kubezero:
-    # -- deploy the KubeZero Project and GitSync Root App
+    # only set this once initially to prevent the circular dependency
    bootstrap: false

-    # valid git+ssh repository url
-    repoUrl: ""
+    repoUrl: "https://git.my.org/thiscluster"
    path: "/"
    targetRevision: HEAD
-    sshPrivateKey: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey
-    username: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username
-    password: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password

 argocd-image-updater:
  enabled: false
--- a/charts/kubezero-auth/values.yaml
+++ b/charts/kubezero-auth/values.yaml
@ -19,7 +19,7 @@ keycloak:
  resources:
    limits:
      #cpu: 750m
-      memory: 1024Mi
+      memory: 768Mi
    requests:
      cpu: 100m
      memory: 512Mi
--- a/charts/kubezero-storage/Chart.yaml
+++ b/charts/kubezero-storage/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-storage
 description: KubeZero umbrella chart for all things storage incl. AWS EBS/EFS, openEBS-lvm, gemini
 type: application
-version: 0.8.10
+version: 0.8.11
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -24,11 +24,11 @@ dependencies:
    condition: lvm-localpv.enabled
    repository: https://openebs.github.io/lvm-localpv
  - name: aws-ebs-csi-driver
-    version: 2.39.3
+    version: 2.41.0
    condition: aws-ebs-csi-driver.enabled
    repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
  - name: aws-efs-csi-driver
-    version: 3.1.6
+    version: 3.1.8
    condition: aws-efs-csi-driver.enabled
    repository: https://kubernetes-sigs.github.io/aws-efs-csi-driver
  - name: gemini
@ -36,7 +36,7 @@ dependencies:
    condition: gemini.enabled
    repository: https://charts.fairwinds.com/stable
  - name: k8up
-    version: 4.8.3
+    version: 4.8.4
    condition: k8up.enabled
    repository: https://k8up-io.github.io/k8up
 kubeVersion: ">= 1.26.0"
--- a/charts/kubezero/.helmignore
+++ b/charts/kubezero/.helmignore
@ -21,8 +21,4 @@
 .idea/
 *.tmproj
 .vscode/
-
-README.md.gotmpl
-dashboards.yaml
-jsonnet
-update.sh
+Chart.lock
--- a/charts/kubezero/README.md
+++ b/charts/kubezero/README.md
@ -35,10 +35,11 @@ Kubernetes: `>= 1.31.0-0`
 | addons.targetRevision | string | `"0.8.13"` |  |
 | argo.argo-cd.enabled | bool | `false` |  |
 | argo.argo-cd.istio.enabled | bool | `false` |  |
+| argo.argocd-apps.enabled | bool | `false` |  |
 | argo.argocd-image-updater.enabled | bool | `false` |  |
 | argo.enabled | bool | `false` |  |
 | argo.namespace | string | `"argocd"` |  |
-| argo.targetRevision | string | `"0.3.1"` |  |
+| argo.targetRevision | string | `"0.2.9"` |  |
 | cert-manager.enabled | bool | `false` |  |
 | cert-manager.namespace | string | `"cert-manager"` |  |
 | cert-manager.targetRevision | string | `"0.9.12"` |  |
--- a/charts/kubezero/docs/applicationSet.yaml
+++ b/charts/kubezero/docs/applicationSet.yaml
@ -0,0 +1,41 @@
+kind: ApplicationSet
+metadata:
+  name: kubezero
+  namespace: argocd
+  labels:
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
+spec:
+  generators:
+  - git:
+      repoURL: {{ .Values.kubezero.applicationSet.repoURL }}
+      revision: {{ .Values.kubezero.applicationSet.revision }}
+      files:
+      {{- toYaml .Values.kubezero.applicationSet.files | nindent 6 }}
+  template:
+    metadata:
+      name: kubezero
+    spec:
+      project: kubezero
+      source:
+        repoURL: https://cdn.zero-downtime.net/charts
+        chart: kubezero
+        targetRevision: '{{ "{{" }} kubezero.version {{ "}}" }}'
+        helm:
+          parameters:
+          # We use this to detect if we are called from ArgoCD
+          - name: argocdAppName
+            value: $ARGOCD_APP_NAME
+          # This breaks the recursion, otherwise we install another kubezero project and app
+          # To be removed once we applicationSet is working and AppProject is moved back to ArgoCD chart
+          - name: installKubeZero
+            value: "false"
+          valueFiles:
+          - '{{ "{{" }} kubezero.valuesPath {{ "}}" }}/kubezero.yaml'
+          - '{{ "{{" }} kubezero.valuesPath {{ "}}" }}/values.yaml'
+
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: argocd
+      syncPolicy:
+        automated:
+          prune: true
--- a/charts/kubezero/hooks.d/pre-install.sh
+++ b/charts/kubezero/hooks.d/pre-install.sh
@ -1,6 +0,0 @@
-# ensure we have a basic kubezero secret for cluster bootstrap and defaults
-kubectl get secret kubezero-secrets -n kubezero && rc=$? || rc=$?
-
-if [ $rc != 0 ]; then
-  kubectl create secret generic kubezero-secrets -n kubezero
-fi
--- a/charts/kubezero/scripts/argocd_password.py
+++ b/charts/kubezero/scripts/argocd_password.py
--- a/charts/kubezero/scripts/patch_vs.sh
+++ b/charts/kubezero/scripts/patch_vs.sh
--- a/charts/kubezero/scripts/remove_argo_ns.sh
+++ b/charts/kubezero/scripts/remove_argo_ns.sh
@ -0,0 +1,7 @@
+#!/bin/bash
+
+ns=$(kubectl get ns -l argocd.argoproj.io/instance | grep -v NAME | awk '{print $1}')
+
+for n in $ns; do
+  kubectl label --overwrite namespace $n 'argocd.argoproj.io/instance-'
+done
--- a/charts/kubezero/scripts/remove_old_eck.sh
+++ b/charts/kubezero/scripts/remove_old_eck.sh
@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License;
+# you may not use this file except in compliance with the Elastic License.
+
+# Script to migrate an existing ECK 1.2.1 installation to Helm. 
+
+set -euo pipefail
+
+RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"elastic-system"}
+
+echo "Uninstalling ECK"
+kubectl delete -n "${RELEASE_NAMESPACE}" \
+    serviceaccount/elastic-operator \
+    secret/elastic-webhook-server-cert \
+    clusterrole.rbac.authorization.k8s.io/elastic-operator \
+    clusterrole.rbac.authorization.k8s.io/elastic-operator-view \
+    clusterrole.rbac.authorization.k8s.io/elastic-operator-edit \
+    clusterrolebinding.rbac.authorization.k8s.io/elastic-operator \
+    rolebinding.rbac.authorization.k8s.io/elastic-operator \
+    service/elastic-webhook-server \
+    statefulset.apps/elastic-operator \
+    validatingwebhookconfiguration.admissionregistration.k8s.io/elastic-webhook.k8s.elastic.co
+
--- a/charts/kubezero/templates/_app.tpl
+++ b/charts/kubezero/templates/_app.tpl
@ -25,8 +25,7 @@ spec:
    repoURL: {{ default "https://cdn.zero-downtime.net/charts" (index .Values $name "repository") }}
    targetRevision: {{ default "HEAD" ( index .Values $name "targetRevision" ) | quote }}
    helm:
-      # add with 1.32
-      #skipTests: true
+      skipTests: true
      valuesObject:
        {{- include (print $name "-values") $ | nindent 8 }}

--- a/charts/kubezero/templates/_aws.tpl
+++ b/charts/kubezero/templates/_aws.tpl
@ -1,30 +0,0 @@
-{{- define "aws-iam-env" -}}
- name: AWS_ROLE_ARN
-  value: "arn:aws:iam::{{ $.Values.global.aws.accountId }}:role/{{ $.Values.global.aws.region }}.{{ $.Values.global.clusterName }}.{{ .roleName }}"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
-  value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
-  value: "regional"
- name: METADATA_TRIES
-  value: "0"
- name: AWS_REGION
-  value: {{ $.Values.global.aws.region }}
-{{- end }}
-
-
-{{- define "aws-iam-volumes" -}}
- name: aws-token
-  projected:
-    sources:
-    - serviceAccountToken:
-        path: token
-        expirationSeconds: 86400
-        audience: "sts.amazonaws.com"
-{{- end }}
-
-
-{{- define "aws-iam-volumemounts" -}}
- name: aws-token
-  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-  readOnly: true
-{{- end }}
--- a/charts/kubezero/templates/addons.yaml
+++ b/charts/kubezero/templates/addons.yaml
@ -1,6 +1,6 @@
 {{- define "addons-values" }}
 clusterBackup:
-  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.clusterBackup.enabled) }}
+  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.clusterBackup.enabled) }}

  {{- with omit .Values.addons.clusterBackup "enabled" }}
  {{- toYaml . | nindent 2 }}
@ -14,7 +14,7 @@ clusterBackup:
  {{- end }}

 forseti:
-  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.forseti.enabled) }}
+  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.forseti.enabled) }}

  {{- with omit .Values.addons.forseti "enabled" }}
  {{- toYaml . | nindent 2 }}
@ -28,7 +28,7 @@ forseti:
  {{- end }}

 external-dns:
-  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "external-dns" "enabled")) }}
+  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "external-dns" "enabled")) }}

  {{- with omit (index .Values "addons" "external-dns") "enabled" }}
  {{- toYaml . | nindent 2 }}
@ -42,15 +42,32 @@ external-dns:
    - "--aws-zone-type=public"
    - "--aws-zones-cache-duration=1h"
  env:
-    {{- include "aws-iam-env" (merge (dict "roleName" "externalDNS") .) | nindent 4 }}
+    - name: AWS_REGION
+      value: {{ .Values.global.aws.region }}
+    - name: AWS_ROLE_ARN
+      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.externalDNS"
+    - name: AWS_WEB_IDENTITY_TOKEN_FILE
+      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+    - name: AWS_STS_REGIONAL_ENDPOINTS
+      value: "regional"
+    - name: METADATA_TRIES
+      value: "0"
  extraVolumes:
-    {{- include "aws-iam-volumes" . | nindent 4 }}
+  - name: aws-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: token
+          expirationSeconds: 86400
+          audience: "sts.amazonaws.com"
  extraVolumeMounts:
-    {{- include "aws-iam-volumemounts" . | nindent 4 }}
+  - name: aws-token
+    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+    readOnly: true
  {{- end }}

 cluster-autoscaler:
-  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "cluster-autoscaler" "enabled")) }}
+  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "cluster-autoscaler" "enabled")) }}

  autoDiscovery:
    clusterName: {{ .Values.global.clusterName }}
@ -81,9 +98,17 @@ cluster-autoscaler:
    AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
    AWS_STS_REGIONAL_ENDPOINTS: "regional"
  extraVolumes:
-    {{- include "aws-iam-volumes" . | nindent 4 }}
+  - name: aws-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: token
+          expirationSeconds: 86400
+          audience: "sts.amazonaws.com"
  extraVolumeMounts:
-    {{- include "aws-iam-volumemounts" . | nindent 4 }}
+  - name: aws-token
+    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+    readOnly: true
  {{- end }}

 {{- with .Values.addons.fuseDevicePlugin }}
@ -130,7 +155,14 @@ aws-node-termination-handler:
  queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth"
  managedTag: "zdt:kubezero:nth:{{ .Values.global.clusterName }}"
  extraEnv:
-    {{- include "aws-iam-env" (merge (dict "roleName" "awsNth") .) | nindent 4 }}
+    - name: AWS_ROLE_ARN
+      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth"
+    - name: AWS_WEB_IDENTITY_TOKEN_FILE
+      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+    - name: AWS_STS_REGIONAL_ENDPOINTS
+      value: "regional"
+    - name: METADATA_TRIES
+      value: "0"

 aws-eks-asg-rolling-update-handler:
  enabled: {{ default "true" (index .Values "addons" "aws-eks-asg-rolling-update-handler" "enabled") }}
@ -140,9 +172,10 @@ aws-eks-asg-rolling-update-handler:
  {{- end }}

  environmentVars:
-    {{- include "aws-iam-env" (merge (dict "roleName" "awsRuh") .) | nindent 4 }}
    - name: CLUSTER_NAME
      value: {{ .Values.global.clusterName }}
+    - name: AWS_REGION
+      value: {{ .Values.global.aws.region }}
    - name: EXECUTION_INTERVAL
      value: "60"
    - name: METRICS
@ -151,6 +184,12 @@ aws-eks-asg-rolling-update-handler:
      value: "true"
    - name: SLOW_MODE
      value: "true"
+    - name: AWS_ROLE_ARN
+      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsRuh"
+    - name: AWS_WEB_IDENTITY_TOKEN_FILE
+      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+    - name: AWS_STS_REGIONAL_ENDPOINTS
+      value: "regional"

 {{- with (index .Values "addons" "neuron-helm-chart") }}
 neuron-helm-chart:
--- a/charts/kubezero/templates/argo.yaml
+++ b/charts/kubezero/templates/argo.yaml
@ -23,51 +23,11 @@ argo-cd:
    metrics:
      enabled: {{ .Values.metrics.enabled }}
  repoServer:
+    metrics:
+      enabled: {{ .Values.metrics.enabled }}
    {{- with index .Values "argo" "argo-cd" "repoServer" }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
-
-    metrics:
-      enabled: {{ .Values.metrics.enabled }}
-
-    volumes:
-      - name: cmp-tmp
-        emptyDir: {}
-    {{- if eq .Values.global.platform "aws" }}
-      {{- include "aws-iam-volumes" . | nindent 6 }}
-
-    env:
-      {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 6 }}
-    volumeMounts:
-      {{- include "aws-iam-volumemounts" . | nindent 6 }}
-
-    extraContainers:
-      - name: cmp-vals
-        image: '{{ "{{" }} default .Values.global.image.repository .Values.repoServer.image.repository {{ "}}" }}:{{ "{{" }} default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag {{ "}}" }}'
-        imagePullPolicy: '{{ "{{" }} default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy {{ "}}" }}'
-        command: ["/var/run/argocd/argocd-cmp-server"]
-        env:
-          {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 10 }}
-        volumeMounts:
-          - mountPath: /var/run/argocd
-            name: var-files
-          - mountPath: /home/argocd/cmp-server/plugins
-            name: plugins
-          - mountPath: /tmp
-            name: cmp-tmp
-          {{- include "aws-iam-volumemounts" . | nindent 10 }}
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 999
-          allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
-          capabilities:
-            drop:
-            - ALL
-    {{- end }}
-
  server:
    metrics:
      enabled: {{ .Values.metrics.enabled }}
@ -91,13 +51,30 @@ argocd-image-updater:
  {{- toYaml . | nindent 2 }}
  {{- end }}

-  {{- if eq .Values.global.platform "aws" }}
+  {{- if .Values.global.aws }}
  extraEnv:
-    {{- include "aws-iam-env" (merge (dict "roleName" "argocd-image-updater") .) | nindent 4 }}
+    - name: AWS_ROLE_ARN
+      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater"
+    - name: AWS_WEB_IDENTITY_TOKEN_FILE
+      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+    - name: AWS_STS_REGIONAL_ENDPOINTS
+      value: "regional"
+    - name: METADATA_TRIES
+      value: "0"
+    - name: AWS_REGION
+      value: {{ .Values.global.aws.region }}
  volumes:
-    {{- include "aws-iam-volumes" . | nindent 4 }}
+  - name: aws-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: token
+          expirationSeconds: 86400
+          audience: "sts.amazonaws.com"
  volumeMounts:
-    {{- include "aws-iam-volumemounts" . | nindent 4 }}
+  - name: aws-token
+    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+    readOnly: true
  {{- end }}

  metrics:
--- a/charts/kubezero/templates/metrics.yaml
+++ b/charts/kubezero/templates/metrics.yaml
@ -1,6 +1,6 @@
 {{- define "_kube-prometheus-stack" }}

-{{- if eq .global.platform "aws" }}
+{{- if .global.aws.region }}
 alertmanager:
  alertmanagerSpec:
    podMetadata:
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@ -6,9 +6,7 @@ global:

  highAvailable: false

-  aws:
-    accountId: "123456789012"
-    region: the-moon
+  aws: {}
  gcp: {}

 addons:
@ -117,7 +115,7 @@ logging:
 argo:
  enabled: false
  namespace: argocd
-  targetRevision: 0.3.2
+  targetRevision: 0.3.0
  argo-cd:
    enabled: false
    istio:
--- a/docs/hooks.md
+++ b/docs/hooks.md
@ -1,11 +0,0 @@
-# KubeZero Helm hooks
-
-## Abstract
-Scripts within the `hooks.d` folder of each chart are executed at the respective times when the charts are applied via libhelm.
-
-*These hooks do NOT work via ArgoCD*
-
-## Flow
- hooks are execute as part of the libhelm tasks like `apply`
- are running with the current kubectl context
- executed at root working directory, eg. set a value for helm the scripts can edit the `./values.yaml` file.
--- a/docs/v1.31.md
+++ b/docs/v1.31.md
@ -3,7 +3,6 @@
 ## What's new - Major themes
 - all KubeZero and support AMIs based on [Alpine 3.21](https://alpinelinux.org/posts/Alpine-3.21.0-released.html)
 - network policies for ArgoCD
- Nvidia worker nodes are labeled with detected GPU product code
 - Prometheus upgraded to V3, reducing CPU and memory requirements, see [upstream blog](https://prometheus.io/blog/2024/11/14/prometheus-3-0/)

 ## Features and fixes
@ -11,10 +10,10 @@

 ## Version upgrades
 - cilium 1.16.6
- istio 1.24.3
- ArgoCD 2.14.5 [custom ZDT image](https://git.zero-downtime.net/ZeroDownTime/zdt-argocd)
+- istio 1.24.2
+- ArgoCD 2.14.3 [custom ZDT image](https://git.zero-downtime.net/ZeroDownTime/zdt-argocd)
 - Prometheus 3.1.0 / Grafana 11.5.1
- Nvidia container toolkit 1.17.4, drivers  570.86.15, Cuda 12.8
+- Nvidia container toolkit 1.17, drivers  565.57.01, Cuda 12.7

 ## Resources
 - [Kubernetes v1.31 upstream release blog](https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/)